Enable Two-Factor Authentication in LastPass

Your LastPass password vault is full of exceptionally important data. Add additional security with two-factor authentication.

Two-factor (or multi-factor) authentication is one of the most reliable ways to secure an account from being hacked. With two-factor authentication enabled, hackers can’t log in to your account, even if they know the password.

LastPass is a utility used to store and remember your login credentials. Using a tool like LastPass makes you more secure by creating long, complex passwords you don’t need to remember, because LastPass remembers them for you.

The most common concern about password vaults is this: what if someone, somehow, gets the master password to your LastPass vault? While extremely unlikely, the cost of failure is pretty high: that person would have access to every account stored in your LastPass vault.

It’s not very likely, but when adding additional security, it’s possible a mis-step along the way could get you locked out of your LastPass account. The folks at LastPass do not have a back door to regain access to your account (should you lose your password, for example), so you’d likely be on your own.

Actually, my recommendation is to back up your LastPass vault periodically, regardless of whether you use two-factor or not. I back up mine monthly.

Two-factor options

Two-factor improves security by adding a factor to identity authentication. In addition to knowing the account ID and password, you also prove you have something specifically associated with your account in your possession. The most common proof is an application, or app, running on your smartphone.

The free version of LastPass supports a number of apps, including Google Authenticator, Authy, Microsoft Authenticator, and LastPass’s own authentication application. The proof typically takes the form of entering a random number generated by the app when requested by LastPass at login time. The advantage is that no connectivity is required. Other forms of proof can include SMS messages or even a simple confirmation prompt from the app.

In addition, so-called “grid” authentication is supported. When set up, you’re given a 10 x 26 grid of random characters which you save. You prove that you are in possession of this grid by entering specific characters from the grid when requested. The advantage here is that you don’t need a phone, smart or otherwise.

We’ll set up a phone-number-based app two-factor, and we’ll also create a grid as a secondary safety net.

Enabling two-factor using an app

In your browser, log in to your LastPass account normally. Open your vault, click on your account name in the upper right, and click on Account Settings.

In account settings, click on the Multifactor Options tab.

On the Google Authenticator line, click on the pencil to the right.

First, change the “Enabled” setting to “Yes.”

Two items under “Enabled,” next to “Barcode”, click on View. You’ll need to re-enter your master password. (You’ll need to re-enter your master password at several steps in this process.)

This prevents someone from just walking up to your logged-in LastPass session and enabling two-factor without your consent.

LastPass will now display a QR Code, which they refer to as a barcode.

Install an app on your phone

What we’ve done so far prepares us to associate our LastPass account with an app installed on a smartphone — specifically the Google Authenticator.

This approach is compatible with other two-factor applications as well. I happen to prefer Authy, as it allows you to transfer the two-factor authentication more easily to another device should you ever replace your phone, or even to multiple devices if you care to.

Whichever application you choose, look for the option to add an account.

The instructions presented will have you “scan a QR code”. Select that option, which uses the phone’s camera. Point the camera at the QR code displayed on your computer by LastPass.

Once the QR code has been scanned, the application will display a seemingly random number for that account.

This number will change every 30 seconds, and is unique to your phone. Your ability to enter this number is what proves you have the phone (your second factor) in your possession.

Complete the association

Return to LastPass on your computer, where it should still be displaying the QR code. Click on Update. You’ll be asked to enter the code displayed on your two-factor device to confirm that everything is set up properly.

Once you do so, two-factor authentication is enabled for your LastPass account.

If you lose your phone, you’ll have lost your second factor. One of the easiest ways to prepare for that is to create an alternative second factor you can use in its place.

Back on the Multifactor Options page in LastPass, click on the pencil at the far right of the Grid line.

As before, make sure that “Enabled” is set to Yes.

Click on the View and print link on the Grid line to see your grid in a new browser tab.

Save this image somewhere secure, and/or print it out and save the printout somewhere secure. If you plan to use the grid as your primary two-factor authentication mechanism, you may want to keep a copy in your wallet.

Click Update to enable grid two-factor authentication.

Set a default two-factor mechanism

With two (or more) options for two-factor authentication, we need to specify which is to be used by default, with the other remaining as an available backup should we need it.

At the bottom of the Multifactor Options screen is a setting: Default Multifactor Option. If you’ve followed along above, I recommend setting that to Google Authenticator.

Close the options window and you’re done.

Using LastPass two-factor authentication

The next time you log in to LastPass, you’ll be presented with an additional dialog after you enter your master password.

Enter the code currently displayed by the authenticator app on your phone to prove you have the phone — your second factor — in your possession.

Before you click on Authenticate, you can check “Trust this computer for 30 days”. This removes the two-factor requirement from this computer for this account for that time period. This means you don’t have to have your second factor every time you log in during that time period.

If this is a computer at home, and you can trust that others won’t log in as you, this is a reasonable setting, and is what I set myself. On the other hand, on a device with which I travel, such as my laptop, I do not check it.

If you don’t have your phone, or you’ve lost it, click on I’ve lost my Google Authenticator device. You’ll be emailed a link that will disable Google two-factor authentication on the account. (See note below.) Since we also set up grid two-factor authentication, your account remains protected. The next time you log in, it will now ask for grid data instead.

Once you’ve logged in successfully, you can return to the Multifactor Authentication settings and associate a new device, or turn off two-factor completely (though hopefully only as a temporary measure).

Chicken versus egg?

If you can’t log in to your email because the password is in LastPass, and you can’t log in to LastPass because you’ve lost your second factor, things get sticky. Instructions are to email support at LastPass for additional assistance. I reached out for clarification and received two pieces of interesting information:

You may still be able to log in to your local copy of LastPass in “offline mode”. You can do this on any device you’d previously logged in on, as long as you have the correct master password, by disconnecting your computer from the internet. This simply uses the contents of your vault already on your computer, downloaded from that previous online login. If that works, you can then log in to your email normally. I’d also recommend backing up your vault right away if you hadn’t already, just in case.

LastPass support can also disable the second-factor requirement from their end, but to do so, they need to verify that you are who you say you are. They do that by asking a series of questions relating to you, your LastPass account, and your recent activity in LastPass. You can see the list of questions asked here: LastPass Identity Verification. Needless to say, the barrier should be high so as to prevent someone from attempting to impersonate you. They can’t (or shouldn’t) reveal how much of the information you need to provide correctly, but the more you can provide, the better.

And as a final reminder: LastPass support does not know and cannot recover your master password. There are no back doors. If you forget your master password, you’ve lost the contents of your LastPass vault.

About Leo

Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

I am a retired software engineer with degrees in systems engineering and electrical engineering. I developed software for cell phones and base stations, so I am not exactly naive about computers and such. I have used smart phones while I had to deal with people and situations. Lately, I just don’t want the expense and the bother. I use a dumb phone when I am away from home just for calls and occasionally to receive a text message. I rely on my home computer at home, or my laptop when I am traveling. This is why I have not taken advantage of two-factor authorization. It assumes that one is using a smart phone. I am sure that I am not the only one.

The nearest to a solution for me is what you glossed over, “The Grid”. Since you did not elaborate on its usage and possible negative aspects, I will look into it. Thanks for pointing it out.

LastPass actually has several alternatives to using Google Authenticator — I simply focused on it as being the most popular and flexible for most people. Definitely check out the Lastpass site for more info.

That’s no reason to delete LastPass. It will work for many other sites. And for your bank site you can use it for a secure notepad where you can keep your passwords in case you need to look them up. Also, if the two passwords are used in different places on the bank’s website I think you will find that LastPass can handle it.

Just last week, I received an email from LastPass to that regard and I very quickly obliged. Now that I have two-factor authentication all setup for LastPass, I feel more secure. But, what I didn’t know is that one can actually backup one’s LastPass vault. I found that totally amazing and really interesting.

A great many thanks Leo for doing what you are doind: “Making technology work for everyone”. I always find something new to learn every time I read one of your helpful articles.

Currently, LastPass Authentiator is enabled, and when entering master password, there is a button “Send code with SMS” in the dialog of Authentiator, code is received by SMS to smart phone, so we are authenticated by SMS.
Leo says that SMS authentication is excellent, should you use Google authentication?

Free Newsletter!

Subscribe to The Ask Leo! Newsletter and get a copy of The Ask Leo! Guide to Staying Safe on the Internet – FREE Edition. This ebook will help you identify the most important steps you can take to keep your computer, and yourself, safe as you navigate today’s digital landscape.

Then each week in The Ask Leo! Newsletter you’ll get even more tips, tricks, answers and ideas to help you use your technology more effectively and stay safe doing so.